Advance Program
***************************
Joint CSG/Microsoft Workshop
An In-Depth Technical Exchange on NT5 and Associated Technologies
Advance Program
***************************
Purpose:
--------
The purpose of this workshop is to collect the core technical people
from the CSG organizations, along with the core technical architects
in the NT5 development team, for in depth discussion based in large
part on a set of questions and issues that is identified in advance.
Due to the large commitment of intellectual resources required on
both sides, it is essential that the technical value of the program
match the technical commitment of the participants.
Details:
--------
Date: Monday June 8 - Wednesday June 10
Time: 9am-5:30 each day
Where: Seattle/Redmond, WA
Hotel: Location and Reservation Information forthcoming
Attendance:
-----------
We've planned for up to 100 people and are organizing the program to
provide a very high order of technical interchange. There's room for
up to three of your most qualified, technical folks, those who'll be
responsible for the systems/network analysis and integration of NT5
technologies on your campus.
Program:
--------
The three-day workshop will be organized into four basic sections:
(1) Monday morning: Welcome and short review of some current
work to date
. MIT Project Pismere
http://web.mit.edu/pismere/
. CMU Project Orpheus [URL on the way]
(2) Monday afternoon - Tuesday: Broad Interest Technical Q/A
the technical Q/A sessions that pretty much everybody
wants to know about (e.g. Active Directory)
(3) Tuesday - Wednesday morning: Particular-Interest Q/A
we expect to run 2-3 parallel sessions for the more
specialized technical topics where there is less
overlap among the technical experts.
(4) Wednesday afternoon: General Q/A and Wrap-up
Things that came up over the last two days but didn't
get covered, what we'll take away..
Topics:
-------
The majority of the program will be focused on technical Q/A on
*our* most pressing issues relative to the integration of NT5 on
our campuses. Many of these issues will be quite specific, and
should lead to some detailed engineering discussions. In order
to get the *best* list of issues and questions, we're asking that
each CSG member institution submit their Top-10 technical issues,
questions, and concerns relative to NT5, plus the top 3-5 results
they'd like to take away from the workshop. We will collate the
items as we receive them and post them without attribution through
the CSG web site. If answers or responses become available from
Microsoft before the workshop, they will also be posted there.
Included below is a first draft of issues and questions compiled by
the program committee so far.
Schedule (Red-Letter Dates):
----------------------------
5/12/98 program announcement public
5/15/98 21-day advance purchase dealine for airline tickets
5/20/98 CSG Institutions submit Top-10 Questions and Top-3 Desired
Results to the program committee (mailto:poepping@cmu.edu)
5/22/98 Draft 2 questions/topics available through CSG website
5/29/98 Workshop Program finalized
Program Committee
-----------------
Terry Gray University of Washington
Paul Hill MIT
RL "Bob" Morgan Stanford
Mark Poepping Carnegie Mellon
David Ladd Microsoft
Todd Needham Microsoft
-----------------------------
Draft 1: Issues and Questions
-----------------------------
High-Level Issues/Questions:
What we need... "Is academia different?"
1) All of the CSG schools have privately owned machines in their
domain in addition to machines owned by the school. The
privately owned machines are usually not under direct control
of the school's Information Systems or equivalent department.
2) Most of the schools do not run a firewall that attempts to
protect the entire school. Some of the schools have a firewall
in some areas, often to reduce liability of the medical schools
or university medical facilities.
3) Most of the schools have a very diverse heterogenous computing
environment. Few, if any, of the schools desire to standardize
solely on Microsoft operating systems. There's a difference
between compatible, interoperable, and interchangeable, the
last attribute is a characteristic of a truly 'open' system.
4) Most, but not all, of the schools have an existing Kerberos
version four infrastructure. Not all of the machines using
Kerberos version 4 clients are under the direct control of IT
resources.
5) Campuses are not closed environments. Most of the schools contain
areas where the public may gain easy access to facilities, such
as libraries.
6) I'd like an Internet-accessible directory service, a replicated
directory service for basic contact info, accessible to Internet
via web, LDAP, ph?, separable from the authentication database
for security and robustness reasons, supporting access controls
by source addr and/or authenticated user.
7) I need a campus-wide file service a la AFS.
8) Cluster workstations (nomadic use): we'd like any of our many
users to be able to walk up to an NT workstation, log in via a
central service and [quickly] get their 'home' environment served
up to them, including applications and personal files. On log
out, their state should be wiped.
- roaming profiles and concurrent use (logged in on 2+ systems
at once)
- interoperation/integration for heterogeneous OS environs?
any plan for central, interoperable storage of:
. bookmarks
. private keys
. app. config data
- which aspects of these strategies would be related to ADS,
which are related to ZAW, SMS, or the logo requirements?
Technical Issues/Questions:
1) Kerberos interoperability, architecture of the domain
controllers, basic security differences between UNIX and NT,
e.g. impersonation instead of process based, except of course
for service or the new MSI.
- server integration issues
- client-side support, support in apps, in http
- migration tools for going from UNIX KDC to NT KDC
- any chance of NT KDC as replica of non-NT KDC?
- v4 compatibility
- shadow realm vs. single realm
2) Directory services, subdomains..
- including entry naming and how to lay out the tree
- at the PDC there was mention of someone providing a domain
controller running on UNIX. Who is doing this? What flavors
of UNIX? When?
- benchmarks to add a few thousand users to an NT ADS via LDAP?
- limits on group nesting
- issues for existing X.500 server or LDAP infrastructure
3) DHCP Service
- details on the default address assignment when no DHCP server
is detected.
- Do they suggest a DHCP server to use if we don't use the MS
DHCP server? (They tell us that we can use BIND 8.x instead
of their nameservers, so...) If not, what services apart from
raw answering of queries should it support? In particular,
what needs to be supported if we want to run a non-ms DHCP
server with the MS DNS servers?
4) DNS Service
They say we can use bind 8.x and still accomplish things.
However:
- If we use bind, how do we get the data we must add to the
configuration files if we don't support dynamic updates?
Specifically, I want to know what we need to add to the zone
files to support all of those funny names based on SIDs, GUIDs..
- any plans to support DNSSEC, as well as TSIG, for DNS security?
5) IPSec
- Which NT5 beta will support the latest IPSec RFCs? How well
will it interoperate with non-IPSec hosts?
6) NT as Router/firewall
NT servers can now be routers. How do we suppress this ability on
our campus, including dorm machines which we don't own or control?
7) Can you do Traffic or Service monitoring or filtering on the local
machine? NT-Server only?
8) Time syncronization
where do they get the time? NTP? Something else? How secure is
it? Can we replace this with NTP?
9) Windows Terminal Server (Hydra): scaling, security, licensing,
UNIX client availability?
10) transaction server
11) Web Application development; If you aren't *quite* ready to
abandon Macs and/or Unix desktops, what technology makes the most
sense? java applets, native java with push, activex controls,
dhtml, ...
12) securing a domain controller so that it functions but offers no
other services and minimal entry points?
13) File and print services
- authentication (cross platform)
- client-server integration (cross-platform)
14) PKI
- AD and Kerberos
- Integration
- PGP support in addition to S/MIME?
15) ZAW (Zero Admin Windows), MSI (Microsoft Installer), and SMS
(Systems Management Server)
- how do we deploy a 100 new machines at a time with preinstalled
software configurations?
- can we do multi-tiered software configuration control (site,
dept, group, user)
- installation, update, inventory..
- NT logo requirements, MSI: our developers need to make sure
that they write applications that will be easy to support. ZAW,
MSI and the logo program claim to help. How did Microsoft reach
these conclusions. Do the requirements meet our needs if we
are not exclusively using Microsoft networking solutions?
(e.g. Netware or the NT AFS client).
16) Can we talk about the case *against* Directory Enabled Networks?
17) What is MS doing about QoS, e.g. tracking port-agile
delay-sensitive apps, and their RSVP plans.
18) IPv6 is going to happen because MS corporate customers want to
run it behind their firewalls/NAT boxes. Can you say
"NAT doesn't like IPSEC"? Which one is going to give?
19) Why Linux will survive NT
20) What? You can't do TCP wrappers on NT??
21) SNMP - multi-agent support via AgentX?
Common Solutions Group: StoneSoup.org